The invention relates to systems and methods for protecting computer systems from malware.
Malicious software, also known as malware, affects a great number of computer systems worldwide. In its many forms such as computer viruses, worms, rootkits, and spyware, malware presents a serious risk to millions of computer users, making them vulnerable to loss of data and sensitive information, identity theft, and loss of productivity, among others.
A particular kind of malware consists of a return-oriented programming (ROP) exploit, also known in the art as a return-into-library attack, or a code reuse attack. A typical ROP exploit includes an illegitimate manipulation of a call stack used by a thread of a process, the illegitimate manipulation intended to alter the original functionality of the respective process. For instance, an exemplary ROP exploit may manipulate the call stack so as to force the host system to execute only a subset of instructions of the original process, and/or to execute such instructions in a sequence, which differs from the sequence of instructions of the original process.
By re-using pieces of code from legitimate processes to carry out malicious activities, ROP exploits may evade detection by conventional anti-malware techniques. Therefore, there is a strong interest in developing systems and methods capable of effectively targeting ROP malware, with minimal computational costs.